Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to set a standard set for span values

psmp
Explorer
‎12-02-2021 02:15 PM

I have a dhasboard which should show buckets with number of machines by span of time. 

Machine A to F is used for 2 mins

Machines D-T was used for 2hrs

Machine s-Z was used for more than 4hrs

So my graph should show the buckets with time range as a standard set. 

XAxis

<5 mins,

5-30mins

30min - 2hrs

2-4hrs

 > 4hrs

YAxis 

No of machines logged on for <2mins

No of machines logged on for 5-30mins 

and so on.

Logon TimeLogoff TimeMachineNameSessionTimeinMins
12/1/2021 19:3312/1/2021 19:36A3
12/1/2021 16:4612/1/2021 17:04B18
12/1/2021 15:3512/1/2021 15:38C3
12/1/2021 11:3512/1/2021 11:38D120
12/1/2021 16:3512/1/2021 21:35E300

 

Base Search | bucket SessionTimeinMins span=20 | chart count(MachineName) by sessionSpan

But this do not help in achieving what i wanted. Any help is much appreciated.  Ho do I set my X-Axis to show standard buckets like <2min, 30-1h and bring the count into this bucket. 

 

Thanks

 

 

Labels (3)
Labels
0 Karma
Reply

psmp
Explorer
‎12-02-2021 03:37 PM

Thank you @ITWhisperer 

How can I match the events that fall under this buckets?  

like Machine A-X will fall under 5-30min as they all have session times in that timerange. 

Thanks for your time and help.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 03:43 PM

Do you mean something like this?

| stats values(MachineName) as MachineName by sessionSpan
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎12-02-2021 03:01 PM 
| eval sessionSpan=case(SessionTimeInMins<5,"5 mins",SessionTimeInMins<30,"5-30mins",SessionTimeInMins<120,"30min - 2hrs",SessionTimeInMins<240,"2-4hrs",1==1,"> 4hrs")
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...